On 08/09/2017 10:33 PM, intrigeri wrote: > Christian Seiler: >> On 08/06/2017 05:32 PM, intrigeri wrote: >>> Rules that are not supported by the running kernel are silently >>> ignored, i.e. the operation is allowed. > >> Is there at least a warning during the load of the profile? > > There used to be a warning, but it was causing lots of confusion in > Debian: users were wondering if *any* of the AppArmor profile that > caused warning was applied at all. So in Jessie we decided to hide > these warnings.
Good to know. And since this kind of warning is more likely to lead people to disable AppArmor altogether because they want to get rid of the message and are scared by it, you're probably right in removing that warning, because limited AppArmor protections are probably still better as a defense-in-depth strategy than none at all. >> Or, conversely, is there a possibility to add a flag to the AppArmor >> profile to say "fail to load it if something is not understood"? In >> that case all profiles shipped by Debian would not include that (for >> interoperability reasons) but it could be documented that as a best >> practice for admins they should use that flag so that they can be >> sure that all protections they specified are actually affected. > > If we're fine with relying purely on documentation to address this > problem for sysadmins writing their own profiles, then we can suggest > they use the existing apparmor_parser options about this: > > alias apparmor_parser='apparmor_parser --warn=rules-not-enforced > --warn=rule-downgraded' > > … and then no new code needs to be written :) > > Would that be good enough in your opinion? If that documentation is easy enough to find: sure, yes. Speaking of: are there any good introductions for AppArmor? Not necessarily for me personally (I've had some experience with SELinux, so I recon I'll figure AppArmor out easily enough), but for beginners? Something I can point friends of mine to? Ideally something that doesn't just describe the syntax, but also best practices? When I first ran into SELinux I found a couple of tutorials which did things where I thought, well this doesn't seem quite well enough thought out, I can think of a couple of corner cases where this would fainot do what it was advertising, only to later find that my impression was true and people with even more knowledge of SELinux talked about not doing the things I had seen in these tutorials, and suggesting more sensible things as best practices. Unfortunately the writings by the real experts were not in tutorial form. For buster, if AppArmor is enabled by default (which btw. I'm in favor of, in case that was not clear), I think we should take care to nudge people towards the resources that describe best practices. Regards, Christian